Using trap cache segments to detect malicious processes
Abstract
Provided are a computer program product, system, and method for using trap cache segments to detect malicious processes. A trap cache segment to the cache for data in the storage and indicated as a trap cache segment. Cache segments are added to the cache having data from the storage that are not indicated as trap cache segments. A memory function call from a process executing in the computer system reads data from a region of a memory device to output the read data to a buffer of the memory device. A determination is made as to whether the region of the memory device includes the trap cache segment. The memory function call is blocked and the process is treated as a potentially malicious process in response to determining that the region includes the trap cache segment.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer program product for detecting potentially malicious code accessing data in a computer system having a cache to store data from a storage, the computer program product comprising a computer readable storage medium having computer readable program code embodied therein that when executed performs operations, the operations comprising:
providing a trap cache segment in the cache for a location in the storage;
processing a call from a process that bypasses a cache manager managing the cache, to read a target cache segment from the cache;
determining whether the target cache segment of the call from the process comprises the trap cache segment; and
blocking the call as a potentially malicious process in response to determining that the target cache segment of the call from the process comprises the trap cache segment.
2. The computer program product of claim 1 , wherein the operations further comprise:
generating a cache control block for the trap cache segment; and
setting a trap flag in the cache control block for the trap cache segment to indicate that the trap cache segment in the cache comprises a trap cache segment.
3. The computer program product of claim 2 , wherein the operations further comprise:
indicating in the cache control block for the trap cache segment that the trap cache segment has valid data; and
including trap data in the trap cache segment in the cache.
4. The computer program product of claim 3 , wherein the trap data comprises one of random data and simulated user sensitive information.
5. The computer program product of claim 1 , wherein the process that bypasses the cache manager managing the cache comprises a first process, the operations further comprising:
processing a call from a second process that accesses the cache manager managing the cache, to read or write to a target cache segment from the cache;
determining whether the target cache segment of the call from the second process comprises the trap cache segment; and
providing read or write access to the data in the target cache segment of the call from the second process in response to determining that the target cache segment of the call from the second process comprises the trap cache segment.
6. The computer program product of claim 5 , further comprising, in response to determining that the target cache segment of the call from the second process comprises the trap cache segment, indicating the trap cache segment as not comprising a trap cache segment, and adding a new trap cache segment to the cache having a cache control block indicating a track in the storage not currently stored in the cache.
7. The computer program product of claim 1 , wherein the operations further comprise:
adding indication of the trap cache segment to a cache list used to determine cache segments to destage from the cache;
in response to initiating a destaging operation, processing an entry in the cache list to select a cache segment to destage;
determining whether the selected cache segment comprises a trap cache segment;
moving indication of the trap cache segment to a new location in the cache list in response to determining that the selected cache segment comprises the trap cache segment to retain the trap cache segment in the cache; and
destaging the selected cache segment from the cache in response to determining that the selected cache segment does not comprise the trap cache segment.
8. A system for detecting potentially malicious code accessing data stored in a storage, comprising:
a processor;
a cache implemented in a memory device; and
a computer readable storage medium having computer readable program code embodied therein that when executed performs operations, the operations comprising:
providing a trap cache segment in the cache for a location in the storage;
processing a call from a process that bypasses a cache manager managing the cache, to read a target cache segment from the cache;
determining whether the target cache segment of the call from the process comprises the trap cache segment; and
blocking the call as a potentially malicious process in response to determining that the target cache segment of the call from the process comprises the trap cache segment.
9. The system of claim 8 , wherein the operations further comprise:
generating a cache control block for the trap cache segment; and
setting a trap flag in the cache control block for the trap cache segment to indicate that the trap cache segment in the cache comprises a trap cache segment.
10. The system of claim 9 , wherein the operations further comprise:
indicating in the cache control block for the trap cache segment that the trap cache segment has valid data; and
including trap data in the trap cache segment in the cache.
11. The system of claim 10 , wherein the trap data comprises one of random data and simulated user sensitive information.
12. The system of claim 8 , wherein the process that bypasses the cache manager managing the cache comprises a first process, the operations further comprising:
processing a call from a second process that accesses the cache manager managing the cache, to read or write to a target cache segment from the cache;
determining whether the target cache segment of the call from the second process comprises the trap cache segment; and
providing read or write access to the data in the target cache segment of the call from the second process in response to determining that the target cache segment of the call from the second process comprises the trap cache segment.
13. The system of claim 12 , further comprising, in response to determining that the target cache segment of the call from the second process comprises the trap cache segment, indicating the trap cache segment as not comprising a trap cache segment, and adding a new trap cache segment to the cache having a cache control block indicating a track in the storage not currently stored in the cache.
14. The system of claim 8 , wherein the operations further comprise:
adding indication of the trap cache segment to a cache list used to determine cache segments to destage from the cache;
in response to initiating a destaging operation, processing an entry in the cache list to select a cache segment to destage;
determining whether the selected cache segment comprises a trap cache segment;
moving indication of the trap cache segment to a new location in the cache list in response to determining that the selected cache segment comprises the trap cache segment to retain the trap cache segment in the cache; and
destaging the selected cache segment from the cache in response to determining that the selected cache segment does not comprise the trap cache segment.
15. A method for detecting potentially malicious code accessing data in a computer system having a cache to store data from a storage, comprising:
providing a trap cache segment in the cache for a location in the storage;
processing a call from a process that bypasses a cache manager managing the cache, to read a target cache segment from the cache;
determining whether the target cache segment of the call from the process comprises the trap cache segment; and
blocking the call as a potentially malicious process in response to determining that the target cache segment of the call from the process comprises the trap cache segment.
16. The method of claim 15 , further comprising:
generating a cache control block for the trap cache segment; and
setting a trap flag in the cache control block for the trap cache segment to indicate that the trap cache segment in the cache comprises a trap cache segment.
17. The method of claim 16 , further comprising:
indicating in the cache control block for the trap cache segment that the trap cache segment has valid data; and
including trap data in the trap cache segment in the cache.
18. The method of claim 15 , wherein the process that bypasses a cache manager managing the cache comprises a first process, the method further comprising:
processing a call from a second process that accesses the cache manager managing the cache, to read or write to a target cache segment from the cache;
determining whether the target cache segment of the call from the second process comprises the trap cache segment; and
providing read or write access to the data in the target cache segment of the call from the second process in response to determining that the target cache segment of the call from the second process comprises the trap cache segment.
19. The method of claim 18 , further comprising, in response to determining that the target cache segment of the call from the second process comprises the trap cache segment, indicating the trap cache segment as not comprising a trap cache segment, and adding a new trap cache segment to the cache having a cache control block indicating a track in the storage not currently stored in the cache.
20. The method of claim 15 , further comprising:
adding indication of the trap cache segment to a cache list used to determine cache segments to destage from the cache;
in response to initiating a destaging operation, processing an entry in the cache list to select a cache segment to destage;
determining whether the selected cache segment comprises a trap cache segment;
moving indication of the trap cache segment to a new location in the cache list in response to determining that the selected cache segment comprises the trap cache segment to retain the trap cache segment in the cache; and
destaging the selected cache segment from the cache in response to determining that the selected cache segment does not comprise the trap cache segment.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.